Hi Everyone,I just put up a new bitcoin exchange.Please let me know what you think.https://mtgox.com

Your trade mechanism seems to favor those buying bitcoins at the expense of those selling. I am not certain but I believe that bitcoin market take the average between the high bid and the low ask while you set the price at the low ask. This is not necessarially a bad thing, but I did want to point it out.

I should add this to the site but...that ticker is:Last Price: (The price of the last successful trade)High: (the highest price in the last 24 hours)Low: (the lowest price in the last 24 hours)Volume: (the total amount traded in the last 24 hours)

Current Lowest Buy Price (This is the lowest buy price currently offered by another user)Current Highest Sell Price (This is the highest sell price currently offered by another user)

All trades are between users. So the current buy price and current low price is just what someone else entered. You can always enter a lower or higher one.

sorry to say that, but until now your exchange service is just a password-ripoff service ....

BTW: I want you to delete my account and all associated info (like my password, dude!)

I will re-register when you fixed that password thing ...

EDIT 2004-02-27:Since this post has gotten some attention from reddit I feel I should clarify a few things.At the time of posting this I had a very naive perception of IT security. It is perfectly normal for sites to receive their users passwords in cleartext and hashing them after (server-side).I've since learned a lot about IT security and want to apologize for the inconvenience I brought upon the servie back then.The real problem was not the un-hashed transfer, but the transfer via GET (readable in URL) as opposed to POST (non-readable in URL), so the only attack vector was an "over the shoulder attack".

You can't use unhashed passwords at a site, that deals with money. That's just one big mistake you just can't make if you want to make such a thing. What if someone hacks your database ? He could steal the money and BTC funded in all your users accounts.

You can't use unhashed passwords at a site, that deals with money. That's just one big mistake you just can't make if you want to make such a thing. What if someone hacks your database ? He could steal the money and BTC funded in all your users accounts.

That the variable coming to server is unhashed does not say that the DB uses unhashed pws.

The password is practically always transmitted cleartext to the server, within SSL session most of the time however, on crucial things. But it does not tell is it hashed in the database or not.

The thing about if the encryption is clientside, it's trivial for any hacker to hack as the algo can be trivially disassembled and disseminated.

SmokeTooMuch: Almost all sites do it this way. Are you worried that I personally will learn your password? You can just set your "password" to be the hash of your password if you are really worried. (or use a different one for mtgox)

SmokeTooMuch: Almost all sites do it this way. Are you worried that I personally will learn your password? You can just set your "password" to be the hash of your password if you are really worried. (or use a different one for mtgox)

I put up an offer to buy, it's below the ask price, so I am not surprised no transaction happened, but is it going to show up as the highest buy offer? currently that is 0 (which I assume means nobody is buying bitcoins right now)